Query Generalization for Prevention of Injection Attacks

1. A method for detecting a security vulnerability of a target query to a database, the method comprising: obtaining a set of training queries, each training query comprising a predicate and one or more accessed columns returned from evaluating the predicate; transforming the set of training queries into a structure, the structure relating, for an accessed column and a training query, the predicate and a correlation value to the accessed column; normalizing the structure into a normalized structure, the normalized structure grouping entries in the structure according to accessed column; generating a generalized query from the normalized structure; adding the generalized query to a query filter list; and preventing execution of the target query based on a comparison with the query filter list.

2. The method of claim 1, wherein generating the generalized query comprises: generalizing at least one entry in the normalized structure to create a generalized structure, and generating the generalized query from the generalized structure.

3. The method of claim 1, wherein generating the generalized query comprises: determining that a threshold portion of columns of a table are accessed columns in the normalized structure, and changing a plurality of accessed column identifiers in the table to a generic table identifier.

4. The method of claim 1, wherein generating the generalized query comprises: performing predicate generalization of at least one predicate in the normalized structure.

5. The method of claim 1, further comprising: receiving the target query; comparing the target query to the generalized query in the query filter list to obtain a comparison result; and making a determination whether to execute the target query based on the comparison result.

6. The method of claim 5, wherein comparing the target query to the generalized query comprises at least one selected from a group consisting of: determining that a target accessed column in the target query is not a subset of the accessed column in the generalized query, determining that the target accessed column is not a subset of a plurality of accessed columns, and determining that a target predicate fails to imply a generalized predicate.

7. The method of claim 1, further comprising: determining a group of accessed columns that are accessed in the training query; and adding the group of accessed columns as the correlation value for the accessed column.

8. The method of claim 1, wherein normalizing the structure into the normalized structure comprises: grouping a subset of entries in the structure that are for a same accessed column by generating a disjunction of predicates in the subset of entries, and relating the disjunction to the accessed column in the normalized structure.

9. The method of claim 1, wherein generating the generalized query comprises: generating entries in the normalized structure to create a plurality of generalized entries, generating a union of sub-queries, each sub-query corresponding to a generalized entry of the normalized structure, and generating the generalized query from the union.

10. A system for detecting a security vulnerability of a target query to a database, the system comprising: a memory comprising a query analyzer repository configured to store: a query filter list comprising a generalized query, and a set of training queries, each training query comprising a predicate and one or more accessed columns returned from evaluating the predicate; at least one computer processor; and a query filter list generator executing on the at least one computer processor configured to: transform the set of training queries into a structure, the structure relating individually, for an accessed column and a training query, the predicate and a correlation value to the accessed column, normalize the structure into a normalized structure, the normalized structure grouping entries in the structure according to accessed column, generate the generalized query from the normalized structure, and add the generalized query to the query filter list, the at least one computer processor preventing execution of the target query based on a comparison with the query filter list.

11. The system of claim 10, further comprising: a generalized structure comprising at least one entry in the normalized structure to create the generalized structure, wherein the generalized query is generated from the generalized structure.

12. The system of claim 10, wherein the query analyzer repository comprises: a threshold number, representing a portion of columns of a table that are accessed columns in the normalized structure to change a plurality of accessed column identifiers in the table to a generic table identifier.

13. The system of claim 12, wherein the threshold number is a percentage.

14. The system of claim 10, further comprising: a query filter executing on the at least one computer processor configured to: receive the target query, compare the target query to the generalized query in the query filter list to obtain a comparison result, and make a determination whether to execute the target query based on the comparison result.

15. The system of claim 14, wherein comparing the target query to the generalized query comprises at least one selected from a group consisting of: determining that a target accessed column in the target query is not a subset of a permitted accessed column in the generalized query, determining that the target accessed column is not a subset of a plurality of permitted accessed columns, and determining that a target predicate fails to imply a permitted predicate.

16. A method for preventing a security vulnerability of a target query to a database, the method comprising: receiving the target query; comparing the target query to a generalized query in a query filter list to obtain a comparison result, wherein the query filter list is generated by generalizing a set of training queries into the generalized query, wherein generating the query filter list comprises: transforming the set of training queries into a structure, the structure relating, for an accessed column and a training query, a predicate and a correlation value to the accessed column, normalizing the structure into a normalized structure, the normalized structure grouping entries in the structure according to accessed column, generating the generalized query from the normalized structure, and adding the generalized query to the query filter list; making a determination whether to execute the target query based on the comparison result; and preventing execution of the target query based on a comparison with the query filter list.

17. The method of claim 16, wherein comparing the target query to the generalized query comprises at least one selected from a group consisting of: determining that a target accessed column in the target query is not a subset of a permitted accessed column in the generalized query, determining that the target accessed column is not a subset of a plurality of permitted accessed columns, and determining that a target predicate fails to imply a permitted predicate.

18. The method of claim 16, wherein generating the query filter list further comprises: obtaining the set of training queries, each training query comprising the predicate and one or more accessed columns returned from evaluating the predicate.

19. The method of claim 18, wherein generating the generalized query comprises: generalizing at least one entry in the normalized structured to create a generalized structure, and generating the generalized query from the generalized structure.

20. The method of claim 18, wherein generating the generalized query comprises: determining that a threshold portion of columns of a table are accessed columns in the normalized structure, and changing a plurality of accessed column identifiers in the table to a generic table identifier.